Romanian Charged in Multiple U.S. HacksMedical Offices, Retailers, Security Firms Among Alleged Targets
A former systems administrator at a Romanian financial services institution has been extradited to the U.S. and charged with orchestrating an international hacking scheme that included attacks on medical offices, retailers and security firms.
In a March 23 statement, the U.S. Department of Justice says Mircea-Ilie Ispasoiu, 29, of Drobeta-Turnu Severin, Romania, allegedly hacked into networks "to steal user names and passwords, personal identifiers and credit and debit card data."
Ispasoiu appeared in U.S. District Court in Newark, N.J., on March 23 to face arraignment on charges contained in an August 2014 federal indictment that include two counts of wire fraud, two counts of unauthorized computer access to obtain information, two counts of unauthorized computer access that caused damage and three counts of aggravated identity theft.
Ispasoiu was arrested Nov. 13, 2014, following an investigation led by the U.S. Secret Service and coordinated with Romanian law enforcement, federal prosecutors say. The Court of Appeal of Bucharest granted extradition on Jan. 26, and Ispasoiu arrived in the U.S. on March 20, according to the Justice Department.
Prosecutors say that from August 2011 through February 2014, Ispasoiu was employed as a computer systems administrator at a large unidentified financial institution in Romania.
Ispasoiu was able to steal more than 10,000 credit and debit card numbers from just one of the victims, prosecutors say. And in one incident, he allegedly gained access to a computer at a large security company that ran background checks on job applicants. "Ispasoiu stole the applicants' personal identifying information, including their fingerprints," the DOJ statement says.
"The successful extradition of an Eastern European hacker is very significant, demonstrating that the U.S. can successfully reach beyond its borders to stop the threat at its source," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "Overall, however, while this extradition is a positive development, it represents a very small amount of progress in addressing a problem that is getting bigger by the day."
Indictment documents allege that Ispasoiu, "after gaining unauthorized access to the victim computers ... caused malware to be installed onto the victim computers, including key-logging software that recorded the keystrokes being entered into the victim computers and recorded images of what was displayed on the screens of the victim computers, thereby allowing Ispasoiu to capture stolen data as it was being entered into, or viewed on, the victim computers."
Additionally, prosecutors allege that the malware installed on the victims' computers was also configured to exfiltrate stolen data to email addresses that Ispasoiu controlled.
The victims, which were all unidentified, included a medical office in the Phoenix area; a large security firm operating throughout the U.S.; a car dealer in New Brunswick, N.J.; and a restaurant in Montclair, N.J., according to the indictment documents.
In the alleged hack on the medical office, prosecutors charge that in September 2012, Ispasoiu stole log-in credentials and payment card data that was sent to an email account controlled by the defendant.
The September 2012 hacker attack on a major security firm involved Ispasoui allegedly gaining access to computers and causing malware to be placed on the firm's network."This malware infected a computer that had access to the system that ran background checks on applicants for jobs and captured the personally identifiable information of applicants, including their names, addresses, Social Security numbers, and fingerprints," the indictment states.
The August 2011 attack on the restaurant and the October 2011 attack on the car dealer allegedly involved the defendant gaining access to computers affiliated with those businesses and causing malware to be placed on their networks. The data allegedly stolen from those businesses included log-in credentials for a payroll website, a banking site, as well as names, addresses and Social Security numbers of individuals.
A spokesman for the U.S. attorney's office in New Jersey tells Information Security Media Group that the investigation into the Ispasoiu case is ongoing. Prosecutors are still calculating how many individuals are potentially victims of the alleged crimes and whether there are co-conspirators involved with the scheme.
Ispasoiu's trial is slated for June 1. He did not enter a plea during his initial March 23 court appearance, the prosectors' spokesman says.
Potential maximum penalties faced by Ispasoiu range from 30 years in prison, plus $1 million fine for wire fraud; to mandatory two years prison time, plus $250,000 fine for the aggravated ID theft charges. He also faces five years in prison, plus $250,000 fine for each count of unauthorized computer access, prosecutors says.
Ispasoiu is the second alleged hacker recently extradited to the U.S. to face criminal charges. More than two years after his arrest, Russian national Vladimir Drinkman, 34, was extradited and charged on Feb. 17 in the same New Jersey federal court with masterminding the biggest hack attack in U.S. history (see Alleged Russian Mega-Hacker Extradicted). Drinkman pleaded not guilty to 11 charges filed against him (see Fraud Indictment: 160 Million Cards).
Foreign hackers are a bigger threat than domestic hackers in the U.S., says security expert Mac McMillan, founder of consulting firm CynergisTek. "Many of them believe they can hide behind foreign governments that don't support or share our principles or laws around this activity, and in some cases as we have seen they are actually supported or financed by those governments. I think this emboldens them."